Public key encryption based on discrete logarithms - Mathematics of Public Key Cryptography

Cryptography Reference

In-Depth Information

The values w,w 1 ,w 2 ,k,k ,α are all uniquely determined but, by Lemma 23.2.1 , x 2 and

y 2 can take any values between 0 and r

1. Hence, u x 1 + αy 1

u x 2 + αy 2

−

equals any fixed value

v for exactly r of the r 2 choices for ( x 2 ,y 2 ).

Theorem 23.2.9 The basic Cramer-Shoup encryption scheme is IND-CCA secure if DDH

is hard and if the function H is target collision resistant.

Proof (Sketch) Let A be an adversary against the Cramer-Shoup scheme. Given a DDH

instance ( g 1 ,g 2 ,u 1 ,u 2 ) the simulator performs the KeyGen algorithm using the given values

g 1 ,g 2 . Hence, the simulator knows the private key ( x 1 ,x 2 ,y 1 ,y 2 ,z 1 ,z 2 ). The simulator runs

A with this public key.

The algorithm A makes decryption queries and these can be answered correctly by the

simulator since it knows the private key. Eventually, A outputs two messages ( m 0 , m 1 )

and asks for a challenge ciphertext. The simulator chooses a random b

∈{

0 , 1

}

, computes

1 u x 2 + y 2 2 . Here, and throughout this proof,

u 1 and u 2 denote the values in the DDH instance that was given to the simulator. The

simulator returns

u z 1 u z 2 m b , α

u x 1 + y 1 α

H ( u 1 ,u 2 ,e ) and v

c ∗ =

( u 1 ,u 2 ,e,v ) .

to A . The adversary A continues to make decryption queries, which are answered as above.

Eventually, A outputs a bit b . The simulator returns “valid” as the answer to the DDH

instance if b

b and “invalid” otherwise.

The central idea is that if the input is a valid DDH tuple then c ∗ is a valid encryption of

m b and so A ought to be able to guess b correctly with non-negligible probability. On the

other hand, if the input is not a valid DDH tuple then, by Lemma 23.2.1 , u z 1 u z 2 could be

any element in G (with equal probability) and so c ∗ could be an encryption of any message

G . Hence, given c ∗ , both messages m 0 and m 1 are equally likely and so the adversary

can do no better than output a random bit. (Of course, A may actually output a fixed bit in

this case, such as 0, but this is not a problem since b was randomly chosen.)

There are several subtleties remaining in the proof. First, by Lemma 23.2.8 , before the

challenge ciphertext has been received there is a negligible probability that a ciphertext that

was not produced by the Encrypt algorithm satisfies equation ( 23.1 ). Hence, the simulation

is correct with overwhelming probability. However, the challenge ciphertext is potentially

an example of a ciphertext that satisfies equation ( 23.1 ) and yet is not a valid output of the

algorithm Encrypt. It is necessary to analyse the probability that A can somehow produce

another ciphertext that satisfies equation ( 23.1 ) without just running the Encrypt algorithm.

The target collision resistance of the hash function enters at this point (since a ciphertext

of the form ( u 1 ,u 2 ,e ,v ) such that H ( u 1 ,u 2 ,e )

∈

H ( u 1 ,u 2 ,e ) would pass the test). Due

to lack of space we refer to Section 4 of [ 147 ] (for a direct proof) or Section 6.2 of [ 149 ]

(for a proof using “game hopping”).

A number of variants of the basic scheme are given by Cramer and Shoup [ 149 ] and

other authors. In particular, one can design a KEM based on the Cramer-Shoup scheme (see

Mathematics of Public Key Cryptography

Search WWH ::

Custom Search

Home